Posts by Andy Morris, LogLogic

Will anyone learn from this?

The questions Shell should be asking now is could this have been prevented? How did they get in? Are those doors now shut? Are processes being updated to make sure similar attacks don’t happen? And finally are their processes being updated to make sure that when this happens again, their disaster team swings in to place with seamless grace?

It’s all about being in control and not just wildly trying to put out fires. Find out how it happened, establish the impact of the breach, and re-assure your base that it won’t happen again. The question of course, is how do they get those answers?

No matter what happens across applications, databases, operating systems, routers, switches, firewalls, VPNs, and the hundred other devices that makeup the rich, varied and interoperable fabric of your IT backbone, it’s all recorded. There are electronic surveillance cameras everywhere recording the basic facts: the very ‘truth’ of what happened, when, where, and by whom. Systems produce millions of log records every day, by investing in a system that can collect those logs, parse them, deeply understand them, normalise and then correlate the data, they can easily either trace stolen data back through the net to the hole that let it out, or from the hole, run forward to find out what was taken. The logs are the only way you can do this, so it’s important that they respond quickly and get their house in order as those penalty fines are going to be a whole lot bigger very shortly.